Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CyberThreat. Show all posts
Over AI Standarization
AI Algorithms AP Artificial Intelligence ChatGPT Cyber Attacks CyberCrime Cybersecurity CyberThreat Dutch Authority Flags Human Centred Approach OpenAI Over AI Standarization

Dutch Authority Flags Concerns Over AI Standardization Delays

 


As the Dutch privacy watchdog DPA announced on Wednesday, it was concerned that software developers developing artificial intelligence (AI) might use personal data. To get more information about this, DPA sent a letter to Microsoft-backed OpenAI. The Dutch Data Protection Authority (Dutch DPA) imposed a fine of 30.5 million euros on Clearview AI and ordered that they be subject to a penalty of up to 5 million euros if they fail to comply. 

As a result of the company's illegal database of billions of photographs of faces, including Dutch people, Clearview is an American company that offers facial recognition services. They have built an illegal database. According to their website, the Dutch DPA warns that Clearview's services are also prohibited. In light of the rapid growth of OpenAI's ChatGPT consumer app, governments, including those of the European Union, are considering how to regulate the technology. 

There is a senior official from the Dutch privacy watchdog Autoriteit Persoonsgegevens (AP), who told Euronews that the process of developing artificial intelligence standards will need to take place faster, in light of the AI Act. Introducing the EU AI Act, which is the first comprehensive AI law in the world. The regulation aims to address health and safety risks, as well as fundamental human rights issues, as well as democracy, the rule of law, and environmental protection. 

By adopting artificial intelligence systems, there is a strong possibility to benefit society, contribute to economic growth, enhance EU innovation and competitiveness as well as enhance EU innovation and global leadership. However, in some cases, the specific characteristics of certain AI systems may pose new risks relating to user safety, including physical safety and fundamental rights. 

There have even been instances where some of these powerful AI models could pose systemic risks if they are widely used. Since there is a lack of trust, this creates legal uncertainty and may result in a slower adoption of AI technologies by businesses, citizens, and public authorities due to legal uncertainties. Regulatory responses by national governments that are disparate could fragment the internal market. 

To address these challenges, legislative action was required to ensure that both the benefits and risks of AI systems were adequately addressed to ensure that the internal market functioned well. As for the standards, they are a way for companies to be reassured, and to demonstrate that they are complying with the regulations, but there is still a great deal of work to be done before they are available, and of course, time is running out,” said Sven Stevenson, who is the agency's director of coordination and supervision for algorithms. 

CEN-CELENEC and ETSI were tasked by the European Commission in May last year to compile the underlying standards for the industry, which are still being developed and this process continues to be carried out. This data protection authority, which also oversees the General Data Protection Regulation (GDPR), is likely to have the shared responsibility of checking the compliance of companies with the AI Act with other authorities, such as the Dutch regulator for digital infrastructure, the RDI, with which they will likely share this responsibility. 

By August next year, all EU member states will have to select their AI regulatory agency, and it appears that in most EU countries, national data protection authorities will be an excellent choice. The AP has already dealt with cases in which companies' artificial intelligence tools were found to be in breach of GDPR in its capacity as a data regulator. 

A US facial recognition company known as Clearview AI was fined €30.5 million in September for building an illegal database of photos and unique biometric codes linked to Europeans in September, which included photos, unique biometric codes, and other information. The AI Act will be complementary to GDPR, since it focuses primarily on data processing, and would have an impact in the sense that it pertains to product safety in future cases. Increasingly, the Dutch government is promoting the development of new technologies, including artificial intelligence, to promote the adoption of these technologies. 

The deployment of such technologies could have a major impact on public values like privacy, equality in the law, and autonomy. This became painfully evident when the scandal over childcare benefits in the Netherlands was brought to public attention in September 2018. The scandal in question concerns thousands of parents who were falsely accused of fraud by the Dutch tax authorities because of discriminatory self-learning algorithms that were applied while attempting to regulate the distribution of childcare benefits while being faced with discriminatory self-learning algorithms. 

It has been over a year since the Amsterdam scandal raised a great deal of controversy in the Netherlands, and there has been an increased emphasis on the supervision of new technologies, and in particular artificial intelligence, as a result, the Netherlands intentionally emphasizes and supports a "human-centred approach" to artificial intelligence. Taking this approach means that AI should be designed and used in a manner that respects human rights as the basis of its purpose, design, and use. AI should not weaken or undermine public values and human rights but rather reinforce them rather than weaken them. 

During the last few months, the Commission has established the so-called AI Pact, which provides workshops and joint commitments to assist businesses in getting ready for the upcoming AI Act. On a national level, the AP has also been organizing pilot projects and sandboxes with the Ministry of RDI and Economic Affairs so that companies can become familiar with the rules as they become more aware of them. 

Further, the Dutch government has also published an algorithm register as of December 2022, which is a public record of algorithms used by the government, which is intended to ensure transparency and explain the results of algorithms, and the administration wants these algorithms to be legally checked for discrimination and arbitrariness.
Read more »
Online Store Security
Cyberattacks CyberCrime Cyberfrauds Cyberhackers Cybersecurity CyberThreat JavaScript malware Online Store Security

Cyberattack Compromises European Space Agency Online Store Security

 


A malware attack on the European Space Agency's official web shop revealed that the application was hacked by loading a JavaScript script that generated a fake Stripe payment page at checkout. With an annual budget of more than 10 billion euros, the European Space Agency (ESA) is dedicated to extending the boundaries of space activity through the training of astronauts and the development of rockets and satellites for exploring our universe's mysteries. 

Thousands of people were put at risk of wire fraud after the European Space Agency (ESA) website was compromised due to the recent exploitation of a credit card skimmer, which was found to be malicious on ESA's webshop. According to researchers from Sansec, the script creates a fake Stripe payment page when the customer is at checkout, which collects information from the customer. 

As a result of the fake payment page being served directly from ESA's web shop, which mimicked an authentic Stripe interface, it appeared authentic to unsuspecting users, who were unaware of the fraudulent payment process. According to Source Defense Research, screenshots of the malicious payment page were provided alongside the real one in the post, but this attack took advantage of domain spoofing with a different top-level domain to exploit domain spoofing, using a nearly identical domain name for the attack. 

The official shop of the European Space Agency is located under the domain "esaspaceshop.com," but the attackers used the domain "esaspaceshop.pics" to deceive visitors. Sansec, who flagged the incident, emphasized that the integration of the webshop with ESA's internal systems could significantly increase the risks for both employees and customers of the agency. 

An examination of the malicious script revealed that its HTML code was obscured, which facilitated detection as well as the theft of sensitive payment information, as it contained obfuscated HTML code derived from the legitimate Stripe SDK. The malicious code was created to create a convincing fake Stripe payment interface that looked legitimate because it was hosted by the official ESA web store domain. 

Although the fake payment page was removed, researchers discovered that the malicious script remained in the source code of the site. As of today, the ESA website has been taken offline, displaying a message indicating it has been taken out of orbit for an extended period. The agency clarified that this store is not hosted by its infrastructure, and they do not manage its associated data. 

As confirmed by whois lookup records indicating different ownership between the main domain of ESA (esa.int) and the compromised web store, it is not known exactly how many customers were affected by the breach, nor what financial impact it had. According to ESA's website, the company is well known for its role in astronaut training and satellite launches. However, it has not yet provided details as to how it intends to strengthen its online security measures after the incident occurred. 

A recent cyberattack on well-respected institutions shows just how vulnerable they can be to cyber attacks, especially when their e-commerce systems are integrated into a broader organization's network. According to cybersecurity experts, e-commerce platforms are urged to prioritize robust security protocols to prevent similar incidents from occurring in the future. This can erode customer trust and result in significant financial consequences. 

The past few months have seen an increase in cyberattacks targeting e-commerce platforms, with criminals using digital skimming methods to steal payment information. Earlier in August 2024, Malwarebytes reported that it had infiltrated Magento-based e-commerce platforms with skimmer code, exposing sensitive customer information, such as credit card numbers, by November 2024, as described by Malwarebytes. 

Sucuri discovered several PHP-based skimmers, such as Smilodon, harvesting payment data covertly. Although these skimmers were highly obfuscated, their detection was significantly hindered. Finland's Cybersecurity Centre reported in December 2024 that skimming attacks were on the rise, where malicious code embedded on payment pages was used to steal credit card information. Those developments highlight the crucial need for e-commerce platforms to implement robust security measures to ensure their customers' data is protected from unauthorized access. 

It is still unclear who was responsible for these attacks, but Magecart, one of the most infamous threat groups around, has been previously linked to similar activities, including installing credit card skimmers on prominent websites, which are typical of such attacks. During March 2023, Malwarebytes speculated that this group was involved in an extensive series of attacks targeting multiple online retailers, but this was not the first mention of the group. 

The majority of victims of credit card fraud that results from such breaches can receive refunds from their banks. Cybercriminals, however, use the stolen funds to finance malicious campaigns, including malware distribution. Likely, significant damage has already been done by the time the affected cards are locked and the funds are returned, even though the stolen funds can be used to finance fraudulent campaigns.
Read more »
Unfrastructure
Cyber Attacks CyberCrime Cybersecurity CyberThreat Interlock Ransomware attack Unfrastructure

Critical Infrastructure Faces Rising Ransomware Risks

 


In October 2024, Interlock claimed to have attacked several organizations, including Wayne County, Michigan, which is known for its cyberattacks. Ransomware is characterized by the fact that the encrypted data is encrypted by an encryptor specifically designed for the FreeBSD operating system, an operating system widely used in critical infrastructure. 

In late September 2024, a unique approach was used to launch the operation, which uses an encryptor specifically designed for FreeBSD. Interlock has already attacked several organizations, including Wayne County in Michigan, which was attacked in October 2024 by a cybercriminal organization called Interlock.

During the Interlock attack, the attacker breaches corporate networks, steals data from them, spreads to other devices laterally, and encrypts their files. In addition to using double-extortion tactics, they threaten to leak stolen data unless ransom demands of hundreds of thousands to millions of dollars are met. A particular feature of Interlock is its focus on FreeBSD encryptors, which makes it uniquely different from other ransomware groups that target Linux-based VMware ESXi servers. 

FreeBSD is a widely used operating system and a prime target of malicious hackers who want to disrupt critical infrastructure and extort victims for a large sum of money. This FreeBSD encryptor was developed specifically for FreeBSD 10.4, and it is a 64-bit ELF executable that is designed specifically for FreeBSD. 

Although the sample was tested on both Linux and FreeBSD virtual machines, the execution of the code was problematic since it failed to work in controlled environments. A ransomware attack is a sophisticated type of malware that seeks to seize control of data, effectively denying access to files and systems. 

In this malicious software, advanced encryption techniques are employed to render data inaccessible without a unique decryption key exclusive to the attackers. There is usually a ransom payment, usually in cryptocurrency, which victims are required to make to restore access and secure the attackers' privacy. Security experts Simo and MalwareHunterTeam, who analyzed ransomware samples, revealed the attack's initial details and the attackers' anonymity. 

As with most ransomware attacks, Interlock follows a typical pattern: the attackers breach corporate networks, steal sensitive information, copy the data and spread to other devices, encrypting files as they are copied. In addition to using double-extortion tactics, they also threaten to leak stolen data unless the victim pays a ransom of thousands to millions of dollars, depending on the size of the ransom. It is also the focus on FreeBSD that makes Interlock particularly unique, which illustrates why this operating system has a vital role to play in critical systems. 

A major characteristic of Interlock's ransomware is its direct targeting of FreeBSD servers, which are common in web hosting, mail servers, and storage systems. Unlike other ransomware groups that usually target Linux-based VMware ESXi servers, Interlock targets FreeBSD servers. Besides being integral to critical operations, these systems serve as lucrative targets for attackers. 

In spite of FreeBSD's popularity and essential services, its focus can also pose a challenge to cybersecurity professionals. In the initial testing phase of FreeBSD's encryptor, which was explicitly compiled for the FreeBSD 10.4 operating system, it did not prove easy to execute both the FreeBSD and Linux encryptors in controlled environments, since the encryptor is written as a 64-bit ELF executable. However, despite these hurdles, Trend Micro researchers discovered further samples of the encryption, confirming its functionality, strategic focus and capabilities. 

As a reminder of the vulnerabilities within critical infrastructure, Interlock has launched its attacks to increase awareness. The fact that it uses FreeBSD's own encryptor is a troubling development in ransomware tactics. This emphasizes the importance of strong security measures to safeguard against this increasing threat. To minimize the risk and impact of such cyberattacks, organizations should prioritize improving their security strategies.

It is recommended by Ilia Sotnikov, Security Strategist at Netwrix, that organizations use multi-layered security measures to prevent initial breaches, including firewalls and intrusion detection systems, as well as phishing defences. Interlock, a ransomware group that has been attacking organizations worldwide lately, has used an unusual approach of creating an encryptor to attack FreeBSD servers as a means of stealing data. 

Generally, FreeBSD is considered to be one of the most reliable operating systems available, so it is commonly used for critical functions. For example, the web host, mail server and storage systems are all potential targets for attackers, all of which can pose a lucrative threat. According to Sotnikov, depending on their configuration, a server may or may not be directly connected to the Internet, depending on their function. 

The security team should invest in defence-in-depth so that a potential attack is disrupted as early as possible so that every subsequent step for the attacker will be more difficult, and so that potentially harmful activity can be identified as fast as possible with the help of monitoring tools. Considering that the adversary is likely to access the FreeBSD server from inside the network, it might be a good idea to minimize standing privileges by implementing the zero trust principle, which means that a user should only have access to the permissions needed to achieve their tasks, sotnikov suggested.
Read more »
TraderTraitor
Bitcoin Cyber Attacks CyberCrime Cybersecurity CyberThreat DMM FBI Ginco lazarus TraderTraitor

Bitcoin Heist in Japan Attributed to North Korean Cybercriminals

 


A joint alert from the FBI, the Department of Defense (D.O.D.) Cyber Crime Center and the National Police Agency of Japan reveal that a North Korean threat group carried out a significant cryptocurrency theft from Japan's crypto firm DMM in May 2024. The group, referred to as TraderTraitor—also known as Jade Sleet, UNC4899, and Slow Pisces — is believed to be linked to the Lazarus Group, a notorious hacking collective with ties to Pyongyang authorities.

The Lazarus Group, infamous for high-profile cyberattacks, gained notoriety for hacking Sony Pictures in retaliation for the 2009 film The Interview, which mocked North Korean leader Kim Jong Un. Their recent activities, however, focus on cryptocurrency theft, leveraging advanced social engineering techniques and malicious code.

Social Engineering and the Ginco Incident

In late March 2024, a TraderTraitor operative posing as a recruiter contacted an employee of Ginco, a Japanese cryptocurrency wallet software company, via LinkedIn. Disguised as part of a pre-employment process, the operative sent a malicious Python script under the guise of a coding test. The employee unknowingly uploaded the script to their GitHub account, granting the attackers access to session cookie information and Ginco’s wallet management system.

The attackers intercepted legitimate transaction requests from DMM employees by maintaining this access. This led to the theft of over 4,500 bitcoins, valued at $308 million. The funds were traced to accounts managed by the TraderTraitor group, which utilized mixing and bridging services to obfuscate the stolen assets.

North Korea's Financial Strategy and Cryptocurrency Exploitation

With international sanctions severely restricting North Korea's access to global financial systems, the regime increasingly relies on cybercrime and cryptocurrency theft for revenue generation. Due to their decentralized and pseudonymous nature, cryptocurrency presents a lucrative target for laundering stolen funds and bypassing traditional banking systems.

Chainalysis Findings

Blockchain intelligence firm Chainalysis attributed the DMM Bitcoin hack to North Korean actors. The attackers exploited weaknesses in the platform's infrastructure to perform unauthorized withdrawals. The stolen cryptocurrency was routed through multiple intermediary addresses and processed via the Bitcoin CoinJoin mixing service to conceal its origins. Portions of the funds were further transferred through various bridge services before being channelled to HuiOne Guarantee, a website linked to the Cambodian conglomerate HuiOne Group, a known facilitator of cybercrime.

Additional Findings by AhnLab Security Intelligence Center

The AhnLab Security Intelligence Center (ASEC) has reported another North Korean threat actor, Andariel — part of the Lazarus Group — deploying a backdoor known as SmallTiger. This tool has been used in campaigns parallel to those executed by TraderTraitor, highlighting the group's continued evolution in cybercrime tactics.

The coordinated alert from international agencies underscores the urgent need for enhanced cybersecurity measures within the cryptocurrency industry to counter sophisticated threats like those posed by the Lazarus Group and its affiliates.


Read more »
Tech Industry
Cyberattacks CyberCriminal Cybersecurity CyberThreat Data Data Minimizations GDPR Privacy Tech Industry

Tech's Move Toward Simplified Data Handling

 


The ethos of the tech industry for a long time has always been that there is no shortage of data, and that is a good thing. Recent patents from IBM and Intel demonstrate that the concept of data minimization is becoming more and more prevalent, with an increase in efforts toward balancing the collection of information from users, their storage, and their use as effectively as possible. 

It is no secret that every online action, whether it is an individual's social media activity or the operation of a global corporation, generates data that can potentially be collected, shared, and analyzed. Big data and the recognition of data as a valuable resource have led to an increase in data storage. Although this proliferation of data has raised serious concerns about privacy, security, and regulatory compliance, it also raises serious security concerns. 

There is no doubt that the volume and speed of data flowing within an organization is constantly increasing and that this influx brings both opportunities and risks, because, while the abundance of data can be advantageous for business growth and decision-making, it also creates new vulnerabilities. 

There are several practices users should follow to minimize the risk of data loss and ensure an environment that is safer, and one of these practices is to closely monitor and manage the amount of digital data that users company retains and processes beyond its necessary lifespan. This is commonly referred to as data minimization. 

According to the principle of data minimization, it means limiting the amount of data collected and retained to what is necessary to accomplish a given task. This is a principle that is a cornerstone of privacy law and regulation, such as the EU General Data Protection Regulation (GDPR). In addition to reducing data breaches, data minimization also promotes good data governance and enhances consumer trust by minimizing risks. 

Several months ago IBM filed a patent application for a system that would enable the efficient deletion of data from dispersed storage environments. In this method, the data is stored across a variety of cloud sites, which makes managing outdated or unnecessary data extremely challenging, to achieve IBM's objective of enhancing data security, reducing operational costs, and optimizing the performance of cloud-based ecosystems, this technology has been introduced by IBM. 

By introducing the proposed system, Intel hopes to streamline the process of removing redundant data from a system, addressing critical concerns in managing modern data storage, while simultaneously, Intel has submitted a patent proposal for a system that aims to verify data erasure. Using this technology, programmable circuits, which are custom-built pieces of hardware that perform specific computational tasks, can be securely erased.

To ensure the integrity of the erasure process, the system utilizes a digital signature and a private key. This is a very important innovation in safeguarding data security in hardware applications, especially for training environments, where the secure handling of sensitive information is of great importance, such as artificial intelligence training. A growing emphasis is being placed on robust data management and security within the technology sector, reflected in both advancements. 

The importance of data minimization serves as a basis for the development of a more secure, ethical, and privacy-conscious digital ecosystem, as a result of which this practice stands at the core of responsible data management, offering several compelling benefits that include security, ethics, legal compliance, and cost-effectiveness. 

Among the major benefits of data minimization is that it helps reduce privacy risks by limiting the amount of data that is collected only to the extent that is strictly necessary or by immediately removing obsolete or redundant information that is no longer required. To reduce the potential impact of data breaches, protect customer privacy, and reduce reputational damage, organizations can reduce the exposure of sensitive data to the highest level, allowing them to effectively mitigate the potential impact of data breaches. 

Additionally, data minimization highlights the importance of ethical data usage. A company can build trust and credibility with its stakeholders by ensuring that individual privacy is protected and that transparent data-handling practices are adhered to. It is the commitment to integrity that enhances customers', partners', and regulators' confidence, reinforcing the organization's reputation as a responsible steward of data. 

Data minimization is an important proactive measure that an organization can take to minimize liability from the perspective of reducing liability. By keeping less data, an organization is less likely to be liable for breaches or privacy violations, which in turn minimizes the possibility of a regulatory penalty or legal action. A data retention policy that aligns with the principles of minimization is also more likely to ensure compliance with privacy laws and regulations. 

Additionally, organizations can save significant amounts of money by minimizing their data expenditures, because storing and processing large datasets requires a lot of infrastructure, resources, and maintenance efforts to maintain. It is possible to streamline an organization's operation, reduce overhead expenditures, and improve the efficiency of its data management systems by gathering and retaining only essential data. 

Responsible data practices emphasize the importance of data minimization, which provides many benefits that are beyond security, including ethical, legal, and financial benefits. Organizations looking to navigate the complexities of the digital age responsibly and sustainably are critical to adopting this approach. There are numerous benefits that businesses across industries can receive from data minimization, including improving operational efficiency, privacy, and compliance with regulatory requirements. 

Using data anonymization, organizations can create a data-democratizing environment by ensuring safe, secure, collaborative access to information without compromising individual privacy, for example. A retail organization may be able to use anonymized customer data to facilitate a variety of decision-making processes that facilitate agility and responsiveness to market demands by teams across departments, for example. 

Additionally, it simplifies business operations by ensuring that only relevant information is gathered and managed to simplify the management of business data. The use of this approach allows organizations to streamline their workflows, optimize their resource allocations, and increase the efficiency of functions such as customer service, order fulfillment, and analytics. 

Another important benefit of this approach is strengthening data privacy, which allows organizations to reduce the risk of data breaches and unauthorized access, safeguard sensitive customer data, and strengthen the trust that they have in their commitment to security by collecting only essential information. Last but not least, in the event of a data breach, it is significantly less impactful if only critical data is retained. 

By doing this, users' organization and its stakeholders are protected from extensive reputational and financial damage, as well as extensive financial loss. To achieve effective, ethical, and sustainable data management, data minimization has to be a cornerstone.
Read more »
Vulnerabilities and Exploits
Botnet Cyberattacks CyberCrime Cybersecurity CyberThreat Cyberthreats DDOS Attacks IoT Vulnerabilities and Exploits

Understanding and Preventing Botnet Attacks: A Comprehensive Guide

 


Botnet attacks exploit a command-and-control model, enabling hackers to control infected devices, often referred to as "zombie bots," remotely. The strength of such an attack depends on the number of devices compromised by the hacker’s malware, making botnets a potent tool for large-scale cyberattacks.

Any device connected to the internet is at risk of becoming part of a botnet, especially if it lacks regular antivirus updates. According to CSO Online, botnets represent one of the most significant and rapidly growing cybersecurity threats. In the first half of 2022 alone, researchers detected 67 million botnet connections originating from over 600,000 unique IP addresses.

Botnet attacks typically involve compromising everyday devices like smartphones, smart thermostats, and webcams, giving attackers access to thousands of devices without the owners' knowledge. Once compromised, these devices can be used to launch spam campaigns, steal sensitive data, or execute Distributed Denial of Service (DDoS) attacks. The infamous Mirai botnet attack in October 2016 demonstrated the devastating potential of botnets, temporarily taking down major websites such as Twitter, CNN, Reddit, and Netflix by exploiting vulnerabilities in IoT devices.

The Lifecycle of a Botnet

Botnets are created through a structured process that typically involves five key steps:

  1. Infection: Malware spreads through phishing emails, infected downloads, or exploiting software vulnerabilities.
  2. Connection: Compromised devices connect to a command-and-control (C&C) server, allowing the botmaster to issue instructions.
  3. Assignment: Bots are tasked with specific activities like sending spam or launching DDoS attacks.
  4. Execution: Bots operate collectively to maximize the impact of their tasks.
  5. Reporting: Bots send updates back to the C&C server about their activities and outcomes.

These steps allow cybercriminals to exploit botnets for coordinated and anonymous attacks, making them a significant threat to individuals and organizations alike.

Signs of a Compromised Device

Recognizing a compromised device is crucial. Look out for the following warning signs:

  • Lagging or overheating when the device is not in use.
  • Unexpected spikes in internet usage.
  • Unfamiliar or abnormal software behavior.

If you suspect an infection, run a malware scan immediately and consider resetting the device to factory settings for a fresh start.

How to Protect Against Botnet Attacks

Safeguarding against botnets doesn’t require extensive technical expertise. Here are practical measures to enhance your cybersecurity:

Secure Your Home Network

  • Set strong, unique passwords and change default router settings after installation.
  • Enable WPA3 encryption and hide your network’s SSID.

Protect IoT Devices

  • Choose products from companies that offer regular security updates.
  • Disable unnecessary features like remote access and replace default passwords.

Account Security

  • Create strong passwords using a password manager to manage credentials securely.
  • Enable multi-factor authentication (MFA) for an added layer of security.

Stay Updated

  • Keep all software and firmware updated to patch vulnerabilities.
  • Enable automatic updates whenever possible.

Be Wary of Phishing

  • Verify communications directly with the source before providing sensitive information.
  • Avoid clicking on links or downloading attachments from untrusted sources.

Use Antivirus Software

  • Install reputable antivirus programs like Norton, McAfee, or free options like Avast.

Turn Off Devices When Not in Use

  • Disconnect smart devices like TVs, printers, and home assistants to minimize risks.

Organizations can mitigate botnet risks by deploying advanced endpoint protection, strengthening corporate cybersecurity systems, and staying vigilant against evolving threats. Implementing robust security measures ensures that businesses remain resilient against increasingly sophisticated botnet-driven cyberattacks.

Botnet attacks pose a serious threat to both individual and organizational cybersecurity. By adopting proactive and practical measures, users can significantly reduce the risk of becoming victims and contribute to a safer digital environment.

Read more »
WInnti Hackers
Chinese Cyber Threat Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat Glutton PHP Backdoors WInnti Hackers

Rising Tactics of Winnti Hackers Include Deploying Glutton PHP Backdoors

 


In the past few months, researchers at a Chinese cybersecurity firm have been responsible for the discovery of an advanced PHP backdoor that supports Winnti, a group linked to Chinese cybercrime that is launching increasingly sophisticated attacks. Research has been conducted into the use of a PHP-based backdoor called Glutton, which has been used by cyber criminals to target China, Japan, the Republic of Korea, Cambodia, Pakistan, and South Africa through cyber attacks. 

As early as late April 2024, the Chinese nation-state group set up by Winnti (aka APT41), which has roots in North Korea, discovered malicious activity in a network from the Chinese nation-state group Chongqing Henchmen. The company also disclosed that its investigation revealed that Glutton's creators deliberately targeted systems within the cybercrime market with their tools to create malware. They poisoned operations intending to turn cybercriminals' tools against them, similar to the classic scenario from the movie.

The Winnti hacking group, sometimes referred to as APT41 is a notorious state-sponsored group known for conducting cyber espionage and financial fraud campaigns on behalf of the Chinese government. When the group appeared on the scene in 2012, it focused mostly on organizations involved in gaming, pharmaceuticals, and telecommunications, though it also attacked political organizations and government agencies. A modular backdoor made up of ELF modules, Glotto provides flexibility to craft tailored attacks to meet the attacker's specific needs. Several key components make up this malware: task_loader, which assesses the environment; init_task, which installs the backdoor; client_loader, which obfuscates the application; and client_task, which manages PHP backdoor operations and communicates with the command-and-control (C2) server. 

Through fileless execution, the malware runs entirely within PHP or PHP-FPM processes and injects malicious code into PHP files within popular frameworks such as ThinkPHP, Yii, Laravel, and Dedecms, thereby achieving stealth. Glutton maintains persistence in the system by modifying system files including those in the init[.]d network section and those in the Baota panel, allowing it to steal credentials and maintain a foothold on the system. 

By using a modular approach to code, Glutton can function without leaving traditional digital footprints behind, because all code execution is carried out within PHP, and there is a feature called PHP-FPM (FastCGI) that is used to optimize PHP process handling on web servers, which ensures that no files are left behind and that the backdoor remains undetected until it is discovered.  There are several PHP frameworks that Glutton can exploit to extract data or inject malicious code into widely used PHP frameworks, including Baota, ThinkPHP, Yii, and Laravel, when deployed with Glutton. 

It was in December 2023, when researchers traced the unusual activity to an IP address that was distributing a backdoor which targeted Unix-like operating systems, also commonly known as ELF-based malware, that researchers first discovered that Glutton was a backdoor. Further research revealed that the ELF-based malware also contained a malicious PHP file. Researchers uncovered a network of malicious PHP payloads connected to a network of malicious PHP payloads, revealing a complex attack infrastructure.

Researchers have indicated that the malware has a connection with Winnti’s historical activities, but they point out that there are several shortcomings when it comes to stealth and execution, which are uncharacteristically underwhelming for an APT group. Even though Winnti's behaviour normally does not include plaintext PHP samples and simplistic C2 communication protocols, the researchers believe that Winnti is the one responsible for the malware with some degree of confidence. The researchers also pointed out that Winnti "deliberately targeted systems within the cybercrime market" to spread the malware to as many targets as possible.

According to XLab researchers, Winnti "deliberately targeted systems within the cybercrime market" to help spread its virus as far as possible, but that was not the case.  Recent research has consistently shown that threat actors piggyback on each other’s infrastructure to exploit their vulnerabilities. In a report published by Microsoft, it was found that Turla, an APT group linked to the Russian government, has been running its operations using infrastructure previously set up by other APT groups or cybercriminals. 

In addition to being a fully functional backdoor, the PHP backdoor is also able to execute 22 unique commands, including switching C2 connections to UDP from TCP, launching a shell, downloading and uploading files, performing file and directory operations, and running arbitrary PHP code. Additionally, this framework provides the ability to periodically poll the C2 server for more PHP payloads, allowing for the retrieval and execution of more PHP payloads. According to XLab, these payloads are highly modular, capable of being executed independently by the payload module or sequentially by the task_loader module, providing a comprehensive framework to execute attacks, independently. 

There is no file payload left behind, ensuring no files or data are left behind after code execution, which ensures a completely stealthy footprint since all the code is executed within PHP or PHP-FPM (FastCGI) processes. In addition to this, HackBrowserData is also being used by cybercrime operators to steal sensitive information to inform future phishing or social engineering campaigns in the future. This tool can be used on any system used by a cybercriminal to steal sensitive information.
Read more »
Privacy
Android App Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat Google iOS Malicious Network Privacy

Google Warns Users About Privacy Risks Posed by Certain Android Apps

 


It has recently been reported by a leading media outlet that more than 11 million Android devices have been infected with malicious software known as the Necro Trojan, which has crept into phones and tablets through unofficially modified applications, games, and game modifications. Google is making an effort to narrow the gap between Android 15 and iPhone on the front of security and privacy. 

The new Android OS brings several welcome changes that will protect its users, their devices, and their data better over time. These include live threat detection that can identify malware and abuse of permissions as soon as they are detected, mobile network defence, and tighter controls over what apps are performing behind the scenes. There is still a lot of room on Android for permission abuse since it relates to that shadowy area between apps that behave properly and outright spyware—of which there are still a lot of examples available.

There is no doubt that Apple led the charge in limiting location tracking, and use of sensitive phone functionality like a camera, messaging, and contacts, as well as restricting access to location data. Google has released Android 15 on millions of Pixel devices, and it is now available for download. Although this update emphasizes security and privacy over anything else, two of its most important and headline-grabbing features were left out of the new upgrade. 

Two things are coming shortly, but the first one is not coming until the end of the year, and the second one is imminent. Google's new mobile network security, which prevents users from having their identities tracked and intercepted via the network, is maybe the most significant long-term security feature that is missing. It has been leaked that Android 15 will include an improved Privacy Dashboard as a part of the updates brought by the new version. 

9to5Google reports that, in the next few weeks after Android 16 Developer Preview 1 was released last month, Google will release a 7-day history for the privacy dashboard in Android 15, the first time that a 7-day history has been added. This is expected to be released via the Google Play system update in November 2024." It has been announced in the past month that Google will soon launch a 7-day history for the Privacy dashboard in Android 16, following the introduction of Android 16 Developer Preview 1 last month. There is a new system update to Google Play in November 2024 that will bring this update to the public. 

When the app is installed, go to the Settings app > Privacy & Security > Privacy dashboard to access the privacy information. There is now an option "Show 7 days" in the overflow menu located in the upper-right corner of the screen, joining the existing "Show system" option at the top.  Throughout the following tables, users will notice that the stats will change from "Past 24 hours" to "Past 7 days" as a longer timeframe for the usage of Location, Camera, and Microphone gets introduced.  This is the most sensitive spyware function on users' phones, and they need to pay special attention to how it is being used. 

The best advice for users would be to stop stopping permissions from being granted in the first place and not monitor afterwards, but rather to stop granting them in the first place. Even though an app might have no dangerous permissions, it can still pose a risk. There is no such thing as a safe number of permissions for an app, according to Cybernews researchers. By just installing the app on a device, the app has access to many more permissions that are considered harmless and non-dangerous. 

The apps used in these scenarios can still perform tasks such as starting up, staying in the background, accessing confidential information, etc. Taking this into consideration, it is critical to regularly remove unnecessary apps, revoke excessive permissions that infringe on privacy, and consider visiting the same services through the web browser rather than using the device's app store. This is a new Android Remote Access Trojan (RAT), and it combines both the classic VNC and overlay capabilities, as well as features often associated with spyware, to produce a powerful and sophisticated Android Trojan. 

There are keyloggers embedded in this program, as well as monitoring routines that provide the ability to capture user data and intercept user interactions, which makes it a powerful tool for spying on users and stealing credentials. Accessibility Services is also a permission that is never granted to any app without its requirement. Accessibility Services are also a system tool, which malware is capable of abusing to take control of devices and their key system functions if given regardless of their necessity. 

Additionally, a new feature that detects scam calls is being rolled out starting with Pixel devices. Specifically, it's available to U.S. phones by Google users with the Pixel 6 or newer device in English. This new update might be making some Samsung Galaxy owners jealous as they watch on with a sense of envy. As the headlines speculate on when the Android 15 beta will debut, the speculation continues again this week, with no sign of an imminent stable release until next year, and the release of Samsung's Galaxy S25 smartphone series only a year away. 

A certain degree of risk is inherent in every mobile application, which makes it imperative for the user to maintain a high level of precaution when it comes to ensuring the security of their data and privacy. Security experts insist that it is crucial to carefully review app permissions before granting them access to users' devices. Users should always disable location services whenever possible—concerned, however, that some applications may not be able to operate properly without them should turn off geotagging for photographs when not required. 

There can be many sensitive information contained in location and geotagging information. It is likely that marketers, and potentially malign actors, will analyze this information to develop a comprehensive profile of each individual's movements and habits based on the information they gathered. To protect the phone's privacy, users must not underestimate the implications of such access. There is expert advice that users should revoke permissions for apps that appear too restrictive on the app's functionality for their utility. 

The best course of action is to uninstall an application if it is unable to customize permissions and poses privacy concerns to users without having the ability to customize them. Research on highly secure messaging applications designed for both iPhone and Android platforms could benefit those looking to enhance the level of security in their communication. As the world of communication becomes increasingly interconnected, these apps cater to users' needs in terms of privacy and data encryption.
Read more »
Supplychain
Broker Support Comtel Cyber Security Cyber Vulnerabilities Cyberattacls CyberCrime Cyberhackers CyberThreat Supplychain

Critical Vulnerability Found in Cleo's File-Sharing Tools: Immediate Action Required

 


A critical security vulnerability has been discovered in Cleo's popular file-sharing tools, including Cleo Integration Cloud, Cleo Harmony, and Cleo VLTrader. This flaw puts businesses and users at significant risk of cyberattacks, prompting cybersecurity experts to urge immediate preventive measures.

The Vulnerability and Its Potential Impact

Security researchers have identified a critical flaw in Cleo's file-sharing platforms, which could allow remote attackers to access sensitive files and even manipulate data transfers. The vulnerability primarily affects enterprises using Cleo’s tools for B2B file transfers. This flaw makes it easier for attackers to intercept data during transmission or exploit weak authentication protocols to gain unauthorized access to the systems.

This issue is not just a theoretical risk—there have already been incidents where hackers have successfully exploited similar vulnerabilities in other systems. Given the widespread use of Cleo tools across industries such as healthcare, logistics, and finance, the potential damage is severe, with sensitive business data and personal information at risk.

Cleo's Response and Immediate Steps for Users

Cleo has acknowledged the issue and is working to release an updated patch that addresses the vulnerability. However, experts warn that until this patch is fully deployed, businesses should take immediate precautions. The following actions are recommended to reduce the risk:

  • Install the latest security updates from Cleo as soon as they are available.
  • Place all file-sharing tools behind a robust firewall to prevent unauthorized access.
  • Monitor network activity for unusual file transfers or signs of potential breaches.
  • Enforce strong authentication protocols, including multi-factor authentication wherever possible.

By following these best practices, organizations can minimize their exposure while awaiting a more comprehensive fix from Cleo.

The Broader Implications for File-Sharing Security

This incident highlights a growing trend in vulnerabilities affecting file-sharing and managed file transfer (MFT) tools. In 2023, a similar flaw was discovered in the MOVEit MFT solution, which was exploited by cybercriminals to access sensitive corporate data worldwide. As more organizations rely on file-sharing platforms to facilitate data exchange, the importance of securing these tools cannot be overstated.

Recommended Security Measures for File-Sharing Platforms

To protect against potential threats, companies using file-sharing tools should implement the following security measures:

  • Regularly apply security patches and updates provided by software vendors.
  • Ensure that all file-sharing systems are protected by firewalls and other protective layers.
  • Continuously monitor file transfer activities for any signs of unauthorized access or data manipulation.

As file-sharing tools are integral to the functioning of modern enterprises, prioritizing their security is essential for safeguarding sensitive data and ensuring operational continuity.

Read more »
Technology
Bitcoin Bitcoin Vulnerability CyberCrime Cybersecurity CyberThreat Google Quantum Technology

Is Bitcoin Vulnerable to Google’s Quantum Breakthrough?

 


Earlier this month, Google CEO Sundar Pichai announced the creation of their new quantum computing chips called "Willow", which caused a few ripples in the Bitcoin investment community, but also caused some skepticism among Bitcoin skeptics due to the announcement. A viral tweet sent out by Geiger Capital declaring "Bitcoin is dead" as a joke sparked a flood of mockery from skeptics who jumped at the opportunity to disparage the cryptocurrency. 

As the news cycle changes every few years, it happens every time there is news regarding quantum computing (QC) fear associated with Bitcoin. This may have been sparked by Google's successive chip announcements. Among the world's cryptocurrency communities, Google's newest quantum chip, Willow, has stirred up quite a bit of discussion. It has raised concerns over the possibility that Willow could breach Bitcoin's encryption, which is encrypted around the $2 trillion blockchain, which would allow any computer to perform a computation that would require a supercomputer billions of years to complete. 

As a result of the announcement, Bitcoin's price dipped briefly but quickly recovered back to its previous level. Those were the feelings for some people on Monday, at the unveiling of Willow, a quantum supercomputer, which is capable of performing certain computational tasks in just five minutes, which would otherwise take a classical supercomputer an astronomical amount of time -- specifically, 10 septillion years if it were classical. 

Even though there is an acknowledgement that quantum computing poses several theoretical risks, panic is still relatively low. The developers of Ethereum were among those who suggested that blockchains can be updated to resist quantum attacks, just as Bitcoin was upgraded in 2021 through the Taproot upgrade, which prepared the network for quantum attacks. There seems to be no immediate threat from this direction at the moment. Despite Willow's impressive achievements, there are no immediate commercial applications to be had from the company's technology. 

According to experts in the crypto industry, there is still time for the industry to adapt in anticipation of quantum computing's threat. A quantum computer also relies on entanglement to detect qubit states, where one qubit's state is directly correlated with another qubit's state. Their system is based on the use of quantum algorithms, such as Shor's and Grover's, that are already well-established and were designed to solve mathematical problems that would take classical computers billions of years to solve. 

Despite this, there's a catch: most machines are error-prone and require extreme conditions such as nearly absolute zero temperatures to operate, and they're far from the scale needed to handle the size of cryptographic systems like public key cryptography or bitcoin that exist in real life. As quantum computing is capable of solving problems at unprecedented speeds, it has long been considered that quantum computing can be a powerful tool for solving cryptographic problems, and this is true for both classical and elliptic curve-based cryptography. 

A Bitcoin transaction relies on two cryptographic pillars: the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm applies to securing the private keys and the SHA-256 algorithm for hashing the transaction. There are two types of computers, both of which are considered robust against conventional computers at present. However, the advent of powerful and error-correcting quantum computers will probably upend that assumption by making it trivial to solve classical cryptographic puzzles, thus making them obsolete. The recent announcement of Willow is being widely seen as a landmark achievement throughout the world of quantum computing. 

Despite this, experts still believe that Bitcoin will remain safe for the foreseeable future, according to a Coinpedia report. Even though researchers are hailing Willow as a breakthrough in the world of quantum computing, there is consensus among experts that Bitcoin remains safe, according to a report published in Coinpedia. As Willow works faster than classical computers at certain tasks, it is still nowhere near as powerful as the computers that crack Bitcoin's encryption. There is a theoretical possibility that quantum computers can be used to reduce Grover’s Algorithm to two times 128, thus making the problem, from a principle viewpoint, more manageable.

The problem, however, is that this still requires computation resources of a scale that humanity is undoubtedly far from possessing. In terms of quantum mechanics, as an example, the University of Sussex estimates that, depending on the speed of the operation, to break SHA-256 within a practical timeframe, 13 million to 317 million qubits will be required. It is interesting to note that there are only 105 qubits on Google's Willow chip, in comparison. 

The quantum computer represents a fascinating frontier in technology, but so far it is far from posing a credible threat to Bitcoin's cryptography despite its growing popularity. The use of QC is going to increase, and Bitcoin will become more vulnerable. However, bitcoin may only be vulnerable after other cryptographic systems with weaker encryption have been attacked first, such as systems used by banks and the military. Although the progress of quality control is uncertain, it is assumed that the worry is still decades away based on improvements made in the last five years.

While waiting for these solutions to be established, Bitcoin already has many of them in place. Since it is decentralized, the protocol can be updated whenever necessary to address these vulnerabilities. In recent years, several quantum-resistant algorithms, including Lamport signatures, have been examined, and new address types have been added through soft forks. In the wake of the Willow chip announcement, there has been much speculation about possible defects within bitcoin that are more a matter of confirmation bias among skeptics than even Bitcoin itself. 

Bitcoin is not going anywhere anytime soon. In fact, it is quite the opposite. It is important to note that Bitcoin has a robust cryptographic foundation and a clear path to quantum resistance if necessary, making it more resilient than other technologies that might be susceptible to the threat of quantum computing in the future. Despite Google's announcement, most people still believe that quantum computing will not directly threaten Bitcoin's hash rate or Satoshi's coins soon, even after the announcement was made. 

Additionally, Google plans to explore potential real-world applications for Willow, which suggests that Willow is already making impressive strides but also that its application scope is quite narrow by comparison. Although it’s not yet fully operational, this development serves as a crucial reminder for blockchain developers. The growing potential of quantum computing underscores the need to prepare digital assets for the challenges it may bring. 

To safeguard against future threats, Bitcoin may eventually require a protocol upgrade, possibly involving a hard fork, to incorporate quantum-resistant cryptographic measures. This proactive approach will be essential for ensuring the longevity and security of digital currencies in the face of rapidly advancing technology.
Read more »
Security Chain
Blue Yonder CNN Cyber Attacks Cyberattacks Cyberhackers CyberThreat Cybver Security Security Chain

Blue Yonder Cyberattack: A Wake-Up Call for Supply Chain Security

 


Blue Yonder, a prominent supply chain software provider used by major U.S. grocery chains like Safeway and Fred Meyer, is investigating a significant cyberattack. The ransomware group Termite has claimed responsibility, threatening to publish 680 gigabytes of stolen data, including documents, reports, and email lists, if its claims are verified.

The Cyberattack

On November 21, 2024, Blue Yonder, an Arizona-based company serving clients such as DHL, Starbucks, and Walgreens, experienced a ransomware incident that compromised its network and disrupted services. Though the company confirmed the attack, it has refrained from naming the perpetrators or specifying the type of data stolen. However, Termite has indicated plans to use the stolen data for future attacks.

Similarities to Babuk Ransomware

Security experts suspect that Termite might be a rebranding of the notorious Russian-linked Babuk ransomware group, responsible for over 65 attacks and $13 million in ransom payments as per the U.S. Department of Justice. Researchers from Cyble and Broadcom have observed Termite using a modified version of Babuk’s ransomware strain, further linking the two groups.

Operational Disruptions

The attack caused significant operational disruptions for Blue Yonder’s clients, including major UK supermarkets. One of the largest food retailers, Morrisons, faced interruptions in the flow of goods to its nearly 500 stores. This highlights the far-reaching consequences of ransomware attacks on supply chain networks.

Investigation and Customer Communication

Blue Yonder is collaborating with cybersecurity experts to investigate the breach and has informed affected customers. However, the company has not disclosed specific details about the stolen data. Lucy Milburn, a spokeswoman for the UK’s Information Commissioner’s Office, confirmed that Blue Yonder has not yet reported the data breach to the regulator.

Previous Incidents and Lessons Learned

Ransomware attacks continue to impact industries globally. Earlier this year, healthcare company Change Healthcare suffered a massive attack, disrupting millions of billing systems and affecting hospital care. In another case, hackers targeting AT&T accessed tens of millions of phone calls and text messages, with the company reportedly paying $400,000 to secure the stolen data.

The Need for Robust Cybersecurity

These incidents, including the Blue Yonder attack, underline the importance of proactive cybersecurity measures:

  • Updated defenses: Companies must ensure their cybersecurity systems are up to date.
  • Staff awareness: Employees should be trained to recognize phishing attempts and know how to respond to system compromises.
  • Third-party supplier protocols: Organizations should verify the security practices of their suppliers to mitigate risks.

Ransomware attacks can target companies of any size and in any industry, underscoring the need for comprehensive security measures. Businesses must treat these breaches as critical warnings to bolster defenses and safeguard sensitive data.

Conclusion

The Blue Yonder ransomware incident is a stark reminder of the vulnerabilities in supply chain networks. Companies must prioritize cybersecurity to protect their operations, customers, and data. As ransomware attacks grow in scale and sophistication, ensuring robust defenses is no longer optional—it is essential.

Read more »
Zero-day vulnerability
Cyber Crime Cyber Hackers CyberCrime Cybersecurity CyberThreat Internet Explorer Microsoft North Korea South Korea Zero-day vulnerability

Cyber Threat Alert for South Korea from North Korean Hackers

 


In a recent cyber-espionage campaign targeted at the United States, North Korean state-linked hacker ScarCruft recently exploited a zero-day vulnerability in Internet Explorer to distribute RokRAT malware to targets nationwide. APT37, or RedEyes as it is sometimes called, is one of the most notorious North Korean state-sponsored hacking groups, and its activities are thought to be aimed at cyber espionage. 

There is typically a focus on human rights activists from South Korea, defectors from the country, and political entities in Europe from this group. An unknown threat actor with ties to North Korea has been observed delivering a previously undocumented backdoor and remote access Trojan (RAT) called VeilShell as part of a campaign targeted at Cambodia and potentially other Southeast Asian countries, including Indonesia, Malaysia, and Thailand. 

Known to Securonix as SHROUDED#SLEEP, the activity is believed to have been carried out by APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft as well as several other names. ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a state-sponsored cyber-espionage threat group that almost entirely targets South Korean individuals and organizations. 

It uses spear phishing to deliver customized tools via phishing, watering holes, and zero-days for Internet Explorer. It has been reported by AhnLab that APT37 compromised one of the servers of a domestic advertising agency. Hence, the purpose is to push specially crafted 'Toast ads' as a part of an unidentified free software that is widely used by South Koreans. As a result of the CVE-2024-38178 flaw found in the JavaScript 9.dll file (Chakra) of Internet Explorer used for displaying these advertisements, it caused the JavaScript file named 'ad_toast' to trigger remote code execution via CVE-2024-38178 in the JavaScript9.dll file.

There is a deep correlation between the malware that was dropped in this attack and the RokRAT malware, which ScarCruft has been using for years to launch attacks. In essence, RokRATs primary function is to exfiltrate to Yandex cloud instances every 30 minutes file matching 20 extension types (including .doc, .mdb, .xls, .ppt, .txt, .amr) that match these extensions. In addition to keylogging, Keylogger also monitors for changes made to the clipboard and captures screenshots (every three minutes) as well. 

In July 2022, ScarCruft, a North Korean threat actor who operates in North Korean cyberspace, began experimenting with oversized LNK files as a delivery route for RokRAT malware, just a couple of months after Microsoft began blocking macros by default across several Office documents. Check Point has released a new report on its technical analysis of RokRAT that concludes that the malware has not changed significantly over the years, but the deployment method has evolved. RokRAT now uses archives that contain LNK files, resulting in infection chains that move through multiple stages. 

As a result of this round of activity, is another indication of a major trend in the threat landscape, where both APTs, as well as cybercriminals, will try to overcome the restriction on macros coming from untrusted sources. Having made the news in the past few days, a new campaign with the intriguing name "Code on Toast," has raised serious concerns about the vulnerability of software still embedded in widely used systems, even after the retirement of Internet Explorer. According to a joint report by the National Cyber Security Center (NCSC) of South Korea, and AhnLab (ASEC), the incident occurred earlier this year. 

There was a unique way for these malware infections to be spread by using toast pop-up ads as how the campaign was delivered. There is a unique aspect of this campaign that focuses on the way ScarCruft distributes its malware through the use of toast notifications and small pop-ups that appear when antivirus software or free utilities are running. As a result of ScarCruft’s compromise of the server of a domestic ad agency in South Korea, a malicious "toast ad" made by ScarCruft was sent to many South Korean users through a popular, yet unnamed, free piece of software. 

To accomplish ScarCruft’s attack, a zero-day Internet Explorer vulnerability, CVE-2024-38178, with a severity rating of 7.5, must be exploited cleverly. As a consequence of this, Edge users in Internet Explorer mode can potentially execute remote code through a memory corruption bug in the Scripting Engine, which can result in remote code execution. This vulnerability was patched for August 2024 as part of Microsoft's Patch Tuesday update, part of this annual update program. 

By using toast notifications, typically harmless pop-up ads from anti-virus software or utility programs, the group silently delivered malware through a zero-click infection method using a zero-click virus delivery mechanism. As a result, it has become necessary for an attacker to convince a user to click on a URL that has been specially crafted to initiate the execution of malicious code to successfully exploit a vulnerability. 

Having used such advanced techniques, ScarCruft clearly emphasizes the need for South Korea's digital landscape to remain protected from such threats in the future. It is unfortunate that no matter how much effort is put into phasing out outdated systems, security vulnerabilities have caused problems in legacy components like Internet Explorer. Although Microsoft announced it would retire Internet Explorer at the end of 2022, many of the browser's components remain in Windows, or they are being used by third-party products, allowing threat actors to come across new vulnerabilities and exploit them for their purposes. As a result of this campaign, organizations will be reminded of the importance of prioritizing cybersecurity updates and maintaining robust defences against increasingly sophisticated cyber threats backed by governments.
Read more »
SMS
CyberCrime Cyberhackers Cybersecurity CyberThreat Digital Evidence Judicial Response Privacy SMS

Forensic Analysis in the eXp Realty Case: Privacy and Evidence Integrity

 


In a recent video hearing for the case Acevedo v. eXp, related to a sexual assault claim, a judge deliberated on whether to grant a protective order that would prevent a forensic examination of eXp founder and chairman Glenn Sanford's cell phone during the discovery process.

The plaintiff argued that Sanford’s right to privacy does not override their request for electronically stored information (ESI) to review metadata. Courtrooms increasingly rely on text message screenshots as evidence, but the authenticity of these screenshots is frequently called into question. In a prior case, Sanford provided screenshots of text messages, but these alone failed to meet evidentiary standards for authenticity.

The Role of Forensic Analysis

Sanford submitted screenshots of text message conversations in court, which the plaintiffs argued were insufficient for evidentiary purposes. According to RisMedia, the self-collection method allegedly used by Sanford was inadequate. The US District Court for the Southern District of New York, under Judge Judith Rosenberg, issued a protective order requiring Sanford to collaborate with a digital evidence expert. This ensures that the extraction and verification of text messages from the physical device adhere to strict privacy safeguards.

Forensic analysis plays a pivotal role in ensuring the authenticity of digital evidence. The process retrieves all available data without bias, including potentially deleted content, to present a complete and credible picture of the evidence while respecting privacy concerns.

Advanced Technology in Digital Forensics

Forensic investigations rely on cutting-edge tools like Cellebrite and Magnet Forensics GrayKey to extract comprehensive data from mobile devices. This process, known as forensic acquisition, systematically retrieves all available data fields without prefiltering, ensuring that no evidence is overlooked.

The complexity of mobile data storage presents challenges, making exhaustive and unbiased data collection essential to meet evidentiary standards. Forensic analysis goes beyond recovering visible messages by retrieving associated metadata, deleted communications, and other artifacts to provide a complete picture of the evidence.

Privacy vs. Evidentiary Needs

While forensic investigations are invaluable for uncovering the truth, their intrusive nature raises significant privacy concerns. Judge Rosenberg's protective order aims to strike a balance between maintaining the integrity of the forensic process and safeguarding individual privacy. The order emphasizes responsible handling of sensitive data while ensuring that the evidence presented in court is credible.

Challenges with Traditional Evidence

Traditional SMS and MMS messages are logged by mobile carriers, generating call detail records (CDRs) that include timestamps, phone numbers, and network information. However, these records do not contain the content of the messages, which is typically deleted shortly after transmission. Internet-based messaging platforms like iMessage, WhatsApp, and Telegram bypass traditional cellular networks, leaving carriers unable to log these communications.

Forensic analysis of physical devices remains the most reliable way to retrieve complete messaging data, including metadata and deleted content, from these platforms. Such detailed analysis ensures that digital evidence can withstand rigorous scrutiny in court.

The Growing Importance of Digital Forensics

The eXp Realty case highlights the increasing reliance on advanced digital forensic methods to address the limitations of traditional evidence like screenshots. Comprehensive forensic investigations provide verifiable records, capturing nuanced details that enhance the reliability of evidence.

Courts are increasingly adopting protective orders to balance privacy with evidentiary needs, emphasizing the importance of accurate and trustworthy evidence. This case illustrates how digital forensic methods are evolving to meet the demands of modern legal disputes in an era dominated by technology.

Read more »
Visual Studio Code
CyberCrime cybercriminals Cyberespionage Operation Cyberhackers CyberThreat Data Breach IT Service Operation Digital Eyes Visual Studio Code

Operation Digital Eye Reveals Cybersecurity Breach

 


It has been recently reported that a Chinese group of Advanced Persistent Threats (APTs) has carried out a sophisticated cyberespionage operation dubbed "Operation Digital Eye" against the United States.  Between the end of June and the middle of July 2030, a campaign targeting large business-to-business (B2B) IT service providers in southern Europe between late June and mid-July 2024 was reported by Aleksandar Milenkoski, Senior Threat Researcher at SentinelLabs, and Luigi Martire, Senior Malware Analyst at Tinexta Cyber. 

Several threats are targeting business-to-business IT service providers in southern Europe, according to Tinexta Cyber and SentinelLabs, both of which have been tracking these activities. As a result of assessing the malware, infrastructure, techniques used, victimology, and timing of the activities, it has been concluded that there is a high likelihood that a cyberespionage actor of the China nexus conducted these attacks. 

A group of Chinese hackers has been observed utilizing Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems at large IT service providers in Southern Europe. There is no information regarding which hacker group aligned with China is behind the attacks at this time, which is complicated by the fact that many of those aligned with the East Asian nation share a multitude of toolsets and infrastructure. 

VS Code is the latest version of Microsoft's code editor that is optimized for building and debugging modern web and cloud applications that utilize modern web technologies. VS Code is a lightweight but feature-rich source code editor that runs on your desktop and is available for Windows, Mac OS X, and Linux clients. It is available on most major platforms. In addition to these built-in support technologies, it also comes with a rich ecosystem of extensions that can be used with other languages and runtimes, including JavaScript, TypeScript, and Node.js. According to companies, most breaching chains that firms observe entail using SQL injections as a first point of access for breaching systems connected to the internet, such as web applications and databases. 

To inject code into the target computer, a legitimate penetration testing tool called SQLmap was used. This tool made it possible to detect and exploit SQL injection flaws automatically. Following gaining access to the system, PHPsert was deployed, which was a PHP-based web shell that would allow them to execute commands remotely or to introduce additional payloads once they fully established access. To move laterally, the attackers used RDP and pass-the-hash attacks to migrate from one target to another, specifically using a custom version of Mimikatz ('bK2o.exe') in addition to RDP. 

Using the 'WINSW' tool, the hackers installed a portable, legitimate version of Visual Studio Code on the compromised computers ('code.exe') and set it up as a persistent Windows service to make sure it would run on every device. VSCode was configured with the tunnel parameter, enabling remote development access on the machine, and then the tunnel parameter was configured to be enabled by default. Visual Studio Code tunnels are a feature of Microsoft's Remote Development feature. 

This feature allows VSCode developers to select files on remote systems for editing and working via Visual Studio Code's remote servers. As a powerful development tool, RemoteDeveloper allows developers to run commands and access the file systems of remote devices, which makes it a viable option for developers. With the use of Microsoft Azure infrastructure for the tunnel creation and the signing of executables, trustworthy access to the network can be assured. 

"Operation Digital Eye" illustrates the concept of lateral movement using techniques linked to a single vendor or a "digital quartermaster" operating within the Chinese APT ecosystem in the form of lateral movement. During the study, the researchers discovered that the attackers used Visual Studio Code and Microsoft Azure for command-and-control (C2) to evade detection, which they considered to be a matter of good judgment. 

There has never been an observation of a suspected Chinese APT group using Visual Studio Code for C2 operations before, signalling a significant change in what China is doing about APTs. According to recent research conducted by Unit 42, it has been discovered that Stately Taurus has been abusing popular web development software Visual Studio Code in its espionage operations targeting government organizations in Southeast Asia. Defending the Chinese government from attacks by Stately Taurus, a group of advanced persistent threats (APTs) involved in cyber espionage. It seems that this threat actor relied on Microsoft's Visual Studio Code embedded reverse shell feature to gain an entry point into the target network. 

An expert in the field of security discovered this technique as recently as 2023, which is relatively new. Even though European countries and China have complex ties, there is also a great deal of cooperation, competition, and undercurrent tension in areas like trade, investment, and technology, due to the complex relationships between them. China-linked cyber espionage groups target public and private organizations across Europe sporadically to gather strategic intelligence, gain competitive advantages, as well as advance the geopolitical, economic, and technological interests of China. 

In the summer of 2024, a coordinated attack campaign dubbed Operation Digital Eye was carried out by Russian intelligence services, lasting approximately three weeks from late June to mid-July 2024. As a result of the targeted organizations' capabilities to manage data, infrastructure, and cybersecurity for a wide range of clients across various industries, they are prime targets for cyberespionage activities.

As part of Operation Digital Eye, researchers highlight how Chinese cyberespionage groups continue to pose an ongoing threat to European entities, with these actors continuing to use high-value targets as targets of espionage. Even though the campaign emphasizes the strategic nature of this threat, it is important to realize that when attackers breach organizations that provide data, infrastructure, and cybersecurity services to other industries, they gain access to the digital supply chain, allowing them to extend their influence to downstream companies. 

This exploit relies on SSH and Visual Studio Code Remote Tunnels, which were used by the attackers to execute remote commands on their compromised endpoints by using their GitHub accounts as authentication credentials and connections. By using the browser-based version of Visual Studio Code ("vscode[.]dev"), they were able to access the compromised endpoints. Despite this, it remains unclear whether the threat actors used freshly created GitHub accounts to authenticate their access to the tunnels or if they had already compromised GitHub accounts. 

In addition to mimicking, several other aspects point to a Chinese presence, including the presence of simplified Chinese comments within PHPsert, the fact that M247 provides the infrastructure for this server, and the fact that Visual Studio Code is being used as a backdoor, the last of which has been attributed to the actor who portrayed Mustang Panda. The investigation uncovered that the threat actors associated with Operation Digital Eye demonstrated a notable pattern of activity within the networks of targeted organizations. 

Their operations were predominantly aligned with conventional working hours in China, spanning from 9 a.m. to 9 p.m. CST. This consistent timing hints at a structured and deliberate approach, likely coordinated with broader operational schedules. One of the standout features of this campaign was the observed lateral movement within compromised environments. This capability was traced back to custom modifications of Mimikatz, a tool that has been leveraged in earlier cyberespionage activities. 

These tailored adjustments suggest the potential involvement of centralized entities, often referred to as digital quartermasters or shared vendors, within the ecosystem of Chinese Advanced Persistent Threats (APTs). These centralized facilitators play a pivotal role in sustaining and enhancing the effectiveness of cyberespionage campaigns. 

By providing a steady stream of updated tools and refined tactics, they ensure threat actors remain adaptable and ready to exploit vulnerabilities in new targets. Their involvement underscores the strategic sophistication and collaborative infrastructure underlying such operations, highlighting the continuous evolution of capabilities aimed at achieving espionage objectives.
Read more »
Subscribe to: Posts (Atom)